Action Summary

Management and the board should manage and mitigate the identified
risks through effective internal and external audit, physical and
logical information security, business continuity planning, vendor
management, operational controls, and legal measures.

Risk management strategies should reflect the nature and
complexity of the institution's participation in retail payment
systems, including any support they offer to clearing and
settlement systems. Management should develop risk management
processes that capture not only operational risks, but also credit,
liquidity, strategic, reputational, legal, and compliance risks,
particularly as they engage in new retail payment products and
systems. Management should also develop an enterprise wide
view of retail payment activities due to cross-channel risk.
These risk management processes should consider the risks posed by
third-party service providers.

Financial institutions should tailor their risk management
strategies to the nature and complexity of their participation in
retail payment systems, including any support they offer to
clearing and settlement systems. Financial institutions must
comply with federal and state laws and regulations, as well as with
operating rules of clearing houses and bankcard networks.
From the initiation of a retail payment transaction to its
settlement, financial institutions are exposed to certain
risks. For individual retail payment transactions, risks
resulting from compliance issues and potential operational failures
including fraud are always present. Operational failures can
increase costs, reduce earnings opportunities, and impair an
institution's ability to reflect its financial condition
accurately. Participation in retail payment systems may
expose financial institutions to credit, liquidity, and operational
risk, particularly during settlement activities. In addition,
a financial institution's credit, liquidity, and operational risks
may be interdependent with payment system operators and third
parties.

Risk profiles vary significantly based on the size and
complexity of the financial institution's retail payment system
products and services, IT infrastructure, and dependence on third
parties. All financial institutions should maintain an
effective internal control environment commensurate with the level
of retail payment products and services offered. Effective
internal controls should include financial, accounting, technical,
procedural, and administrative controls necessary to minimize risks
in the retail payment transaction, clearing, and settlement
processes. These measures reduce operational and credit
risks, ensure individual transactions are valid, and mitigate
processing and other errors. Effective controls also ensure
supporting IT and network infrastructure promote retail payment
transaction integrity, confidentiality, and availability.
Financial institutions engaging in retail payment system services
should be aware of the risks inherent in the activity.

Financial institutions have always offered a variety of retail
payment services; however, recent technological advances are
expanding the opportunities for the development of innovative
payment products and services. Financial institutions should
recognize the reputation and strategic risk of newer products and
services, which may lack consumer acceptance. Often,
participants will also face uncertainty regarding how state and
federal laws and regulations will apply to new payment
systems. The ongoing shift from paper to electronic payments
is increasing the participation of nonbanks in various payment
functions, such as payment processing. Financial institutions
should have a comprehensive and effective vendor and third-party
service provider risk management and oversight program. See the IT Handbook Outsourcing
Technology Services Booklet.